I've setup LSWS to block access to the server server-wide, via Configuration > Security > Access Control, then added a large number of IP addresses and CIDR ranges into the denied list.

I've done this at server level because I want each LSWS virtual site to inherit this block-list. Each virtual host has nothing specified in Configuration > Virtual Hosts > Virtual Host > Security > Denied List, because as the LSWS help text says:

"You can set up access control at server, virtual host and context levels. If there is access control at server level, the virtual host rules will be applied after the server rules are satisfied."

So what should happen is a visitor from one of the blocked IP addresses should get a '403-Forbidden' error, to be handled in this case by a custom error page. But that doesn't happen.

When you specify multiple addresses in the list, use a comma to seperate two addresses.

Click to expand...

Aha. Well, that should be easy to fix then. I'll give it a try. Thanks

Could I suggest that you update the help in the LSWS Admin interface to reflect this pls. Now that I look, I see this detail mentioned in the actual LSWS documentation , but it would be very useful to have this point made in the help box within the actual Access Control section.

It will not give 403 error, the connection will be closed without any reponse. and you will not see anything in access log for IPs being blocked.

Click to expand...

Sigh. I wish LWSW would report errors like 403's somewhere, like Apache does into the error.log. It's handy to know the strike rate of your access control entries. Not reporting errors like 403's anywhere is not a good feature IMHO.

Why? Sometimes I want to know who exactly is scanning or attacking me so that (if it is serious) I can then upgrade them to a firewall block or take other measures.

Aha. That's clearly very efficient from a technical/performance point of view, which is LSWS strength.

But the LSWS web manager then loses some valuable information about what is happening (including potential bad stuff) against their server.

For example, I have a lot of active CIDR blocks on my Apache setup and the 403 errors I see in my Apache setup are a very useful way of tracking stuff like badbot activity and individuals doing server vulnerability scans from within blocked IP address ranges.

I use this info to improve things like mod_security rules and/or impose firewall bans across all protocols for IPs that have identified themselves as potentially threatening to other services on other ports - eg when their web attack signature from the 403 log entries identifies them as using certain broad spectrum exploit tools.

Aside from 404 error logs, as it stands now LSWS can't feed any useful info into this management process which is unfortunate.